[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927391: marked as done (unblock: jquery/3.3.1_dfsg-2)

Your message dated Fri, 19 Apr 2019 05:54:00 +0000
with message-id <346dab83-c657-0c2c-43a7-1ff999fa9a1b@thykier.net>
and subject line Re: unblock: jquery/3.3.1_dfsg-2
has caused the Debian Bug report #927391,
regarding unblock: jquery/3.3.1_dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927391
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: security
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package jquery

Hi all,

jquery is vunerable to Object.prototype pollution (#927385). I imported
upstream patch and just upgraded some links in debian files. This patch
does not change normal jQuery behavior but just fix a security hole
considered as "grave" by Security team.

There is a lot of reverse dependencies of course (not listed here to
avoid mail pollution ;-)). Anyway, I think it is low risky to upgrade
jQuery in Buster.

Cheers,
Xavier

unblock jquery/3.3.1_dfsg-2

diff --git a/debian/changelog b/debian/changelog
index aed290ff..259a482a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery (3.3.1~dfsg-2) unstable; urgency=medium
+
+  * Team upload
+  * Add patch to prevent Object.prototype pollution (Closes: #927385)
+  * Upgrade links to https
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 18 Apr 2019 22:34:14 +0200
+
 jquery (3.3.1~dfsg-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/control b/debian/control
index 9564aeff..126c17ca 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends:
  nodejs,
  pigz,
 Standards-Version: 4.3.0
-Homepage: http://jquery.com/
+Homepage: https://jquery.com/
 Vcs-Git: https://salsa.debian.org/js-team/jquery.git
 Vcs-Browser: https://salsa.debian.org/js-team/jquery
 Rules-Requires-Root: no
diff --git a/debian/copyright b/debian/copyright
index a89d1ef6..593fc38f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,7 +1,7 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: jQuery
-Source: http://jquery.com/
-Comment: For more details on developers please see http://docs.jquery.com/Contributors
+Source: https://jquery.com/
+Comment: For more details on developers please see https://docs.jquery.com/Contributors
 Files-Excluded:
  dist
  external/npo
@@ -38,7 +38,7 @@ License: GPL-2
  can be found in </usr/share/common-licenses/GPL-2>.
 
 License: MIT
- Copyright (c) 2011 John Resig, http://jquery.com/
+ Copyright (c) 2011 John Resig, https://jquery.com/
  .
  Permission is hereby granted, free of charge,
  to any person obtaining a copy
diff --git a/debian/patches/SNYK-JS-JQUERY-174006.diff b/debian/patches/SNYK-JS-JQUERY-174006.diff
new file mode 100644
index 00000000..5911b9d4
--- /dev/null
+++ b/debian/patches/SNYK-JS-JQUERY-174006.diff
@@ -0,0 +1,37 @@
+Description: Prevent Object.prototype pollution for $.extend( true, ... )
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+Bug: https://github.com/jquery/jquery/pull/4333
+Bug-Debian: https://bugs.debian.org/927385
+Forwarded: not-needed
+Last-Update: 2019-04-18
+
+--- a/src/core.js
++++ b/src/core.js
+@@ -159,8 +159,9 @@
+ 				src = target[ name ];
+ 				copy = options[ name ];
+ 
++				// Prevent Object.prototype pollution
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if ( name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+ 
+--- a/test/unit/core.js
++++ b/test/unit/core.js
+@@ -1061,6 +1061,13 @@
+ 	assert.ok( !Array.isArray( result.object ), "result.object wasn't paved with an empty array" );
+ } );
+ 
++QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
++	assert.expect( 1 );
++
++	jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
++	assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" );
++} );
++
+ QUnit.test( "jQuery.each(Object,Function)", function( assert ) {
+ 	assert.expect( 23 );
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..1fc60af1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+SNYK-JS-JQUERY-174006.diff

--- End Message ---
--- Begin Message --- 
On Thu, 18 Apr 2019 22:46:31 +0200 Xavier Guimard <yadd@debian.org> wrote:
> Package: release.debian.org
> Severity: normal
> Tags: security
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package jquery
> 
> Hi all,
> 
> jquery is vunerable to Object.prototype pollution (#927385). I imported
> upstream patch and just upgraded some links in debian files. This patch
> does not change normal jQuery behavior but just fix a security hole
> considered as "grave" by Security team.
> 
> There is a lot of reverse dependencies of course (not listed here to
> avoid mail pollution ;-)). Anyway, I think it is low risky to upgrade
> jQuery in Buster.
> 
> Cheers,
> Xavier
> 
> unblock jquery/3.3.1_dfsg-2

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: